Configure users and roles

Splunk Enterprise Security uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular, role-based access control for your organization.

Splunk Enterprise Security relies on the admin user to run saved searches. If you plan to delete the admin user, update knowledge objects owned by that user before you do.

Configuring user roles

Splunk Enterprise Security adds three roles to the default roles provided by Splunk platform. The new roles allow a Splunk administrator to assign access to specific functions in ES based on a user's access requirements. The Splunk platform administrator can assign groups of users to the roles that best fit the tasks the users will perform and manage in Splunk Enterprise Security. There are three categories of users.

User

Description

Splunk ES role

Security Director

Seeks to understand the current security posture of the organization by reviewing primarily the Security Posture, Protection Centers, and Audit dashboards. A security director does not configure the product or manage incidents.

ess_user

Security Analyst

Uses the Security Posture and Incident Review dashboards and Investigations to manage and investigate security incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what is a security incident. A Security Analyst must be able to edit notable events..

ess_analyst

Solution Administrator

Installs and maintains Splunk platform installations and Splunk Apps. This user is responsible for configuring workflows, adding new data sources, and tuning and troubleshooting the application.

admin or sc_admin

Each Splunk Enterprise Security custom role inherits from Splunk platform roles and adds capabilities specific to Splunk ES. Not all of the three roles custom to Splunk ES can be assigned to users.

Splunk ES role

Inherits from Splunk platform role

Added Splunk ES capabilities

Can be assigned to users

ess_user

user

real-time search, list search head clustering

Yes. Replaces the user role for ES users.

ess_analyst

user, ess_user, power

Inherits ess_user and adds the capabilities to create, edit, and own notable events and perform all transitions, edit glass tables, and create and modify investigations.

Yes. Replaces the power role for ES users.

ess_admin

user, ess_user, power, ess_analyst

Inherits ess_analyst and adds several other capabilities.

No. You must use a Splunk platform admin role to administer an Enterprise Security installation.

See the capabilities specific to Splunk Enterprise Security for more details about which capabilities are assigned to which roles by default.

The Splunk platform admin role inherits all unique ES capabilities. In a Splunk Cloud deployment, the Splunk platform admin role is named sc_admin. Use the admin or sc_admin role to administer an Enterprise Security installation.

Splunk platform role

Inherits from role

Added capabilities

Accepts user assignment

admin

user, ess_user, power, ess_analyst, ess_admin

All

Yes.

sc_admin

user, ess_user, power, ess_analyst, ess_admin

All

Yes.

Role inheritance

All role inheritance is preconfigured in Enterprise Security. If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see the Splunk platform documentation.

Add capabilities to a role

Capabilities control the level of access that roles have to various features in Splunk Enterprise Security. Use the Permissions page in Enterprise Security to review and change the capabilities assigned to a role.

Capabilities specific to Splunk Enterprise Security

Add capabilities on the permissions page in Splunk Enterprise Security to make sure that the proper access control lists (ACLs) are updated. The permissions page makes the ACL changes for you. If you add these custom capabilities on the Splunk platform settings page, you must update the ACLs yourself.

The maximum disk space (MB) a user with the admin role can use to store search job results.

Search Jobs Quota (admin)

The maximum number of concurrent searches for users with the admin role.

Search Jobs Quota (power)

The maximum number of concurrent searches for users with the power role.

To change the limits for roles other then admin and power, edit the authorize.conf file to update the default search quota. See the authorize.conf.example in the Splunk Enterprise Admin manual.

Configure the roles to search multiple indexes

The Splunk platform stores ingested data sources in multiple indexes. Distributing data into multiple indexes allows you to use role-based access control and vary retention policies for data sources. The Splunk platform configures all roles to search only the main index by default. For more information about working with roles, see the Splunk platform documentation.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »